| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
First landing failed because of an obscure problem with building
linux_shared. This change passes the linux_shared trybot (and
linux and linux_chromeos trybots).
Changing OOM range to 0, 1000 and tweaking OOM algorithm.
With this change, we now use the newer oom_score_adj file (with
fallback to oom_adj when on a system that doesn't support it) so that
we can take advantage of a finer range ([0, 1000] instead of [0, 15]).
Also tweaked the OOM priority manager to prioritize things in a
slightly different order, preferring (even more) not to kill tabs that
the user has currently selected.
Original review: http://codereview.chromium.org/7671033/
BUG=chromium-os:18421, chromium:65009
TEST=Ran on device, observed OOM adj values, forced OOM conditions to
watch kills.
Review URL: http://codereview.chromium.org/7708020
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@97888 0039d316-1c4b-4281-b951-d872f2087c98
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
With this change, we now use the newer oom_score_adj file (with
fallback to oom_adj when on a system that doesn't support it) so that
we can take advantage of a finer range ([0, 1000] instead of [0, 15]).
Also tweaked the OOM priority manager to prioritize things in a
slightly different order, preferring (even more) not to kill tabs that
the user has currently selected.
BUG=chromium-os:18421, chromium:65009
TEST=Ran on device, observed OOM adj values, forced OOM conditions to
watch kills.
Review URL: http://codereview.chromium.org/7671033
TBR=gspencer@google.com
Review URL: http://codereview.chromium.org/7685030
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@97728 0039d316-1c4b-4281-b951-d872f2087c98
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
With this change, we now use the newer oom_score_adj file (with
fallback to oom_adj when on a system that doesn't support it) so that
we can take advantage of a finer range ([0, 1000] instead of [0, 15]).
Also tweaked the OOM priority manager to prioritize things in a
slightly different order, preferring (even more) not to kill tabs that
the user has currently selected.
BUG=chromium-os:18421, chromium:65009
TEST=Ran on device, observed OOM adj values, forced OOM conditions to
watch kills.
Review URL: http://codereview.chromium.org/7671033
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@97724 0039d316-1c4b-4281-b951-d872f2087c98
|
| |
|
|
|
|
|
| |
TBR=rvargas@chromium.org
Review URL: http://codereview.chromium.org/7582007
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@95619 0039d316-1c4b-4281-b951-d872f2087c98
|
| |
|
|
|
|
|
|
| |
Reapply r83630, r83629, r83583, and fix the one compile error.
TBR=rvargas
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@83740 0039d316-1c4b-4281-b951-d872f2087c98
|
| |
|
|
|
|
|
|
|
| |
Review URL: http://codereview.chromium.org/6902177
TBR=evan@chromium.org
Review URL: http://codereview.chromium.org/6903159
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@83635 0039d316-1c4b-4281-b951-d872f2087c98
|
| |
|
|
|
|
| |
Review URL: http://codereview.chromium.org/6902177
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@83629 0039d316-1c4b-4281-b951-d872f2087c98
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
---
chroot to /proc instead of /tmp. This gets rid of a lot of unnecessary
complexity and fixes a race condition.
(Original idea from Markus)
The chroot helper will chroot to /proc/self/fdinfo (or /proc/self/fd). This is
pretty safe because access to this directory is protected by the ptrace() check
in the kernel and the helper is privileged.
Moreover, as soon as the helper _exit() and becomes a zombie, the directory
will be empty. Zygote should wait() for us to make everything deterministric.
We also export SBX_HELPER_PID so that Zygote can specifically wait for the
helper.
---
BUG=76542
R=markus,agl
Review URL: http://codereview.chromium.org/6683056
TBR=cevans@chromium.org
Review URL: http://codereview.chromium.org/6675053
TBR=laforge@chromium.org
Review URL: http://codereview.chromium.org/6780010
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@79921 0039d316-1c4b-4281-b951-d872f2087c98
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
---
chroot to /proc instead of /tmp. This gets rid of a lot of unnecessary
complexity and fixes a race condition.
(Original idea from Markus)
The chroot helper will chroot to /proc/self/fdinfo (or /proc/self/fd). This is
pretty safe because access to this directory is protected by the ptrace() check
in the kernel and the helper is privileged.
Moreover, as soon as the helper _exit() and becomes a zombie, the directory
will be empty. Zygote should wait() for us to make everything deterministric.
We also export SBX_HELPER_PID so that Zygote can specifically wait for the
helper.
---
BUG=76542
R=markus,agl
Review URL: http://codereview.chromium.org/6683056
TBR=cevans@chromium.org
Review URL: http://codereview.chromium.org/6675053
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@79867 0039d316-1c4b-4281-b951-d872f2087c98
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
---
chroot to /proc instead of /tmp. This gets rid of a lot of unnecessary
complexity and fixes a race condition.
(Original idea from Markus)
The chroot helper will chroot to /proc/self/fdinfo (or /proc/self/fd). This is
pretty safe because access to this directory is protected by the ptrace() check
in the kernel and the helper is privileged.
Moreover, as soon as the helper _exit() and becomes a zombie, the directory
will be empty. Zygote should wait() for us to make everything deterministric.
We also export SBX_HELPER_PID so that Zygote can specifically wait for the
helper.
---
BUG=76542
R=markus,agl
Review URL: http://codereview.chromium.org/6683056
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@79618 0039d316-1c4b-4281-b951-d872f2087c98
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This means changes to the sandbox won't have to be committed twice, to
both trees.
This is a retry of r57921, which was committed with git-svn and failed
to remove the "seccomp" directory. This caused problems when trying
to "svn checkout" to the same location, and the change was reverted.
This time I will use SVN to commit the change.
BUG=none
TEST=smoke test of running chromium with --enable-seccomp-sandbox
Review URL: http://codereview.chromium.org/3225010
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@58184 0039d316-1c4b-4281-b951-d872f2087c98
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
copy
This means changes to the sandbox won't have to be committed twice, to
both trees.
BUG=none
TEST=smoke test of running chromium with --enable-seccomp-sandbox
Review URL: http://codereview.chromium.org/3249003
TBR=mseaborn@chromium.org
Review URL: http://codereview.chromium.org/3245011
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@57933 0039d316-1c4b-4281-b951-d872f2087c98
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This means changes to the sandbox won't have to be committed twice, to
both trees.
BUG=none
TEST=smoke test of running chromium with --enable-seccomp-sandbox
Review URL: http://codereview.chromium.org/3249003
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@57921 0039d316-1c4b-4281-b951-d872f2087c98
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This allows file namespace access to be turned on for the purpose of
testing, and we use this in some of the tests, but it is disabled by
default.
This synchronises the Chromium copy with r88 in the non-Chromium copy of
seccomp-sandbox.
BUG=none
TEST=make test
Review URL: http://codereview.chromium.org/3248002
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@57722 0039d316-1c4b-4281-b951-d872f2087c98
|
| |
|
|
|
|
|
|
|
|
|
| |
This can cause issues with the automounter on ubuntu.
R= agl
BUG= http://b/2824277
TEST= see bug. Or see traffic on the bug drop to <10 comments/day.
Review URL: http://codereview.chromium.org/3146044
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@57469 0039d316-1c4b-4281-b951-d872f2087c98
|
| |
|
|
|
|
| |
(aka: agl's an idiot. Thanks Julien.)
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@53180 0039d316-1c4b-4281-b951-d872f2087c98
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
<iostream> creates a static initializer. Most people don't need <iostream>
anyway--they really need <ostream> for operator<< overloads. <iostream>
should *never* be included in a header file; <iosfwd> exists for that purpose.
BUG=none
TEST=none
Review URL: http://codereview.chromium.org/3014015
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@53083 0039d316-1c4b-4281-b951-d872f2087c98
|
| |
|
|
|
|
|
|
|
|
|
| |
(Idea from Julien Tinnes)
BUG=none
TEST=Navigate to about:sandbox on Linux and see the status of the sandbox.
http://codereview.chromium.org/2966003/show
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@52176 0039d316-1c4b-4281-b951-d872f2087c98
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This should work both standalone and inside the Chromium build.
I have not included an action for running the tests, since having
such an action does not seem to be common in the Chromium build.
BUG=none
TEST=seccomp_tests
Review URL: http://codereview.chromium.org/2165001
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@48043 0039d316-1c4b-4281-b951-d872f2087c98
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch attempts to fork off the sandboxed process with the
additional NEWNS and NEWNET flags. If these flags aren't supported at
runtime then the code will degrade to the current behaviour.
NEWNS starts children in a new mount namespace so that they cannot
affect the parent's mounts. (This is a little bit useless every little
helps.)
NEWNET starts children in a new network space, initially with no
network devices and this stops sandboxed processes from talking to the
network. Additionally, children exist in their own namespaces for UNIX
domain sockets and the abstract namespace.
http://codereview.chromium.org/2108020/show
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@48040 0039d316-1c4b-4281-b951-d872f2087c98
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The SUID sandbox can be used to set the oom_adj value for non-dumpable
processes owned by the same user. When doing so, we previously first
checked the directory owner and then opened the oom_adj file. In between
the check and the open, the process could have died and another process
could have taken that PID value. We would then adjust the OOM value of
the wrong process.
Given how PIDs are allocated, this is very hard to exploit and, even
then, a minor security issue at best, but we can avoid the issue
entirely with openat.
http://codereview.chromium.org/2118007
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@47801 0039d316-1c4b-4281-b951-d872f2087c98
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The intention behind this is to make it easier to sync the .gyp file
into the non-Chromium copy of the seccomp sandbox so that it can be
used to build a standalone version of the sandbox.
Also, it arguably makes the .gyp files more manageable.
Removes a dependency on "base", which the seccomp sandbox does not use.
BUG=none
TEST=none
Review URL: http://codereview.chromium.org/1939002
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@47792 0039d316-1c4b-4281-b951-d872f2087c98
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
from within the sandbox.
Added tests for the new functionality and merged the tests for sigreturn()
that had previously been committed to the standalone version of the sandbox
(on Google Code)
TEST=run "make test"
BUG=37728
Review URL: http://codereview.chromium.org/2074003
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@47561 0039d316-1c4b-4281-b951-d872f2087c98
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Test that signal handlers can be run OK. This tests the support
for sigreturn() (that involves patching the VDSO) that was added
in r76 of the non-Chromium version of the sandbox.
Test that signal masks can be set and read. This tests the
sigprocmask() support that was added in r70.
Add a mechanism for checking that a test exits with an expected
non-zero exit status, such as SIGSEGV.
BUG=none
TEST=test_syscalls
Review URL: http://codereview.chromium.org/2087013
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@47541 0039d316-1c4b-4281-b951-d872f2087c98
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
stack of the newly created thread, instead of creating it on the caller's
stack and copying it over. This eliminates the need to do complicated touch-ups
of the signal stack's data structure, which turned out to be incorrect for
the FPU state. Thanks to Mark Seaborn for pointing out this simplification of
the code.
TEST=Chrome no longer crashes in tcmalloc
BUG=none
Review URL: http://codereview.chromium.org/2051005
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@46928 0039d316-1c4b-4281-b951-d872f2087c98
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
These tests were useful for debugging reference_trusted_thread.cc.
Test an easily-forwarded system call, dup(). Also test clone()
directly, in addition to testing it indirectly via pthread_create().
Check for leaked FDs.
Change the test runner to run all tests, even if one fails, rather
than stopping at the first failed test.
Review URL: http://codereview.chromium.org/1750014
BUG=none
TEST=none
Review URL: http://codereview.chromium.org/1756015
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@45806 0039d316-1c4b-4281-b951-d872f2087c98
|
| |
|
|
|
|
|
|
|
|
|
| |
as far away from the stack as possible, but still as close to the VDSO as we
can.
BUG=none
TEST=run the tests in a tight loop and notice that they no longer randomly fail
Review URL: http://codereview.chromium.org/1807002
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@45775 0039d316-1c4b-4281-b951-d872f2087c98
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
complicated by the fact that in Seccomp mode, we can only ever call
sigreturn(). But in order to eventually support sigaction(), we want to
be able to also call rt_sigreturn().
We solve this problem by rewriting the signal stack frame from an RT
signal frame to a legacy frame. Fortunately, this part of the signal
frame is stable between kernel versions. The unstable part (i.e. extended
registers such as FP, MMX, SSE, ...) is always identical in both in both
types of signal frames.
None of these complications exist on x86-64 and it is relatively
straight-forward to enable support for the system call. The only
difficulty lies in the fact that its calling conventions are somewhat
different from "normal" system calls. So, we have to handle rt_sigreturn()
from within the syscallWrapper() and the segv() handler and cannot write
it in C code.
TEST=ad hoc testing until we have support for sigaction(). Then we can add a unittest
BUG=37728
Review URL: http://codereview.chromium.org/1739011
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@45774 0039d316-1c4b-4281-b951-d872f2087c98
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add some automated tests for seccomp-sandbox
This covers some of the syscalls that are proxied by the trusted process.
This adds a basic test runner framework.
Fix error return code for open() and other syscalls on x86-64
On error, the open() syscall was returning errno & 0xffffffff in %rax
on x86-64 instead of -errno. This stops glibc from regarding this as
an error, and so its syscall wrapper returns -errno instead of -1 and
does not set errno.
I have fixed up the other syscalls to use long (64-bit) instead of int
(32-bit) as well. Not all of them were affected by the problem: it
depends on gcc's code generation. Sometimes casting to int truncates
a value, sometimes it doesn't. It seems better to be consistent
though.
Adds a test for open() and some other syscalls.
TODO: Need to figure out how to run the tests automatically
BUG=none
TEST=none
Review URL: http://codereview.chromium.org/1729003
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@45379 0039d316-1c4b-4281-b951-d872f2087c98
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We previously assumed that no signals would ever be enabled in the sandbox
and thus there was no way to trick the trusted thread into executing potentially
untrusted code.
In an attempt to lift this restriction, this changelist modifies the trusted
thread so that
- it has an invalid stack pointer at all times. Any attempt to handle a
signal would result in the kernel trying to push a signal stack, which
would immediately result in a SEGV and then terminate the application.
- all signals are blocked while outside of trusted code. If a signal is
triggered, it either gets handled on one of the sandboxed threads (for
asynchronous signals), or it results in the application getting terminated
by the kernel (for synchronous signals).
This changelist is difficult not only because eliminating all uses of the
stack pointer requires some very careful assembly coding, but more importantly
because we have to restore signals after we enter seccomp mode.
As sigprocmask() is a restricted system call, the only way to restore the
signal mask is by calling sigreturn() with a suitably tweaked signal
stack frame. While the first couple of bytes of the signal stack frame are
well-defined and unlikely to change, the entire signal stack frame is not
documented as part of the stable ABI. The exact format depends on the number of modified CPU registers (e.g. SSE, MMX, floating point, ...)
The only way for us to get a valid signal stack frame is to trigger a
signal, and to create a (possibly adjusted) copy of the signal frame. We
obviously have to do this _before_ we block all signals upon entering
trusted code.
The two places where this needs to happen is upon start of the sandbox when
launching the initial trusted thread, and upon any call to clone().
BUG=37728
TEST=Run chrome and verify that /proc/$PID/status shows the correct signal mask for trusted threads. The latter can be identified with strace.
Review URL: http://codereview.chromium.org/1594040
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@45055 0039d316-1c4b-4281-b951-d872f2087c98
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch removes the chromium_zygote_t type and adds a
chromium_renderer_t type. Also, a basic policy for chromium_renderer_t
is included.
I decided not to try to have a different policy for the zygote since
it just makes things more complex for little reason.
BUG=none
TEST=none
http://codereview.chromium.org/1104002
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@44908 0039d316-1c4b-4281-b951-d872f2087c98
|
| |
|
|
|
|
|
|
|
|
|
|
| |
(c.f. http://people.redhat.com/drepper/selinux-mem.html)
Fix compilation warnings on Fedora.
BUG=none
TEST=when running Chrome on Fedora, verify that we don't get AVC warnings
Review URL: http://codereview.chromium.org/1535004
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@43107 0039d316-1c4b-4281-b951-d872f2087c98
|
| |
|
|
|
|
|
|
| |
BUG=32501
TEST=none
Review URL: http://codereview.chromium.org/1574001
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@42992 0039d316-1c4b-4281-b951-d872f2087c98
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is a followup to an earlier change (r38266) which did most of the
warning-related cleanup. This one just flips the flag, and fixes some
new warnings that crept in during the window while the flag was off.
Second try, now with some libpng fixes.
BUG=34160
Review URL: http://codereview.chromium.org/1320011
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@42700 0039d316-1c4b-4281-b951-d872f2087c98
|
| |
|
|
|
|
|
|
| |
Compiled locally and on trybots but failed on builder?!
This reverts commit r42688.
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@42689 0039d316-1c4b-4281-b951-d872f2087c98
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This is a followup to an earlier change (r38266) which did most of the
warning-related cleanup. This one just flips the flag, and fixes some
new warnings that crept in during the window while the flag was off.
BUG=34160
Review URL: http://codereview.chromium.org/597023
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@42688 0039d316-1c4b-4281-b951-d872f2087c98
|
| |
|
|
|
|
|
|
|
|
| |
Make tcmalloc compatible with the seccomp sandbox by avoiding making direct system calls from within tcmalloc.
BUG=38973
TEST=none
Review URL: http://codereview.chromium.org/1294001
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@42667 0039d316-1c4b-4281-b951-d872f2087c98
|
| |
|
|
|
|
|
|
|
|
| |
TBR=markus
BUG=none
TEST=none
Review URL: http://codereview.chromium.org/1107001
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@41931 0039d316-1c4b-4281-b951-d872f2087c98
|
| |
|
|
|
|
|
|
|
|
| |
sandbox.
BUG=none
TEST=none
Review URL: http://codereview.chromium.org/1076001
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@41917 0039d316-1c4b-4281-b951-d872f2087c98
|
| |
|
|
|
|
|
|
|
|
|
|
| |
is going to be skewed slightly, as calling gettimeofday() by itself also
takes a little bit of time. But it should be good enough to allow us to see
where we have performance bottlenecks.
TEST=none
BUG=none
Review URL: http://codereview.chromium.org/997009
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@41905 0039d316-1c4b-4281-b951-d872f2087c98
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This sets up useful flags like -Wall -Werror etc.
Also squash a compiler warning:
sandbox/linux/suid/process_util_linux.c: In function ‘AdjustOOMScore’:
sandbox/linux/suid/process_util_linux.c:25: error: format ‘%lu’ expects type ‘long unsigned int’, but argument 4 has type ‘pid_t’
BUG=none
TEST=try-servers
Review URL: http://codereview.chromium.org/733001
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@41161 0039d316-1c4b-4281-b951-d872f2087c98
|
| |
|
|
|
|
|
|
| |
BUG=32501
TEST=none
Review URL: http://codereview.chromium.org/672011
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@40946 0039d316-1c4b-4281-b951-d872f2087c98
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
were observed on some machines (in particular in 32bit mode).
- Some more changes to avoid calling into glibc when we can make a direct
system call, instead. These particular call sites were unlikely to cause
any problems. But it makes the code easier to audit if we avoid all
unnecessary calls into glibc.
- In 64bit mode, gettimeofday() is handled by vsyscalls and tends to be cheap.
In 32bit mode, it is just a regular system call. Some users rely on being
able to call gettimeofday() at a very high rate (up to thousands of
consecutive calls). Recognize this system call pattern and optimize for it.
- Add debugging option that allows us to warn about expensive system calls.
In many cases, these warnings can then be used to optimize the sandboxed
application.
- Fix compilation on newer versions of gcc.
- Changed the x86-32 version of the code that we use when intercepting
system calls. Previously, we would use CALL to jump to the set of
instructions that we had relocated. But we made the mistake of allowing
relocation of instructions that reference %esp. This doesn't work, as
CALL modifies the stack. We now avoid using CALL and instead jump
directly. On x86-32 that requires the use of a PUSH/RET combination as
there is no 32bit wide JMP instruction.
The x86-64 version of the code was already written in a way that would
avoid this particular problem.
(I would like to thank Craig Schlenter for his exceptional detective
work in tracking down the root cause of this bug!)
- For debugging purposes, injected a really small library (less than 4kB)
and discovered that some of our memory map manipulations implicitly
relied on mappings to be at least two pages long. Fixed the code that
made this incorrect assumption.
- For really small libraries, the runtime linker can choose a different
more compact layout. Our computation of the ASR offset did not know how
to deal with that. Fixed by explicitly looking for a ".text" segment
instead of looking for a PT_DYNAMIC section.
- Closed a file descriptor that we kept open longer than needed.
- Removed some unused code.
- Added copyright headers
TEST=tested on i386 and x86-64
BUG=36133
Review URL: http://codereview.chromium.org/661438
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@40900 0039d316-1c4b-4281-b951-d872f2087c98
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This avoids false positives if the directory name matches one of the well-known
library names (e.g. ld).
False positives not only result in a performance hit at startup, because we
are now trying to instrument libraries that don't actually contain any system
calls; but even worse than this, we could try to instrument system calls in
the sandboxing code itself. And those system calls are deliberately coded so
that they will not get rewritten.
Fortunately, none of this is a security problem. If we accidentally rewrite
system calls that weren't supposed to be rewritten, we will just crash on
startup.
TEST=the sandbox now works on the buildbots
BUG=36133
Review URL: http://codereview.chromium.org/652188
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@39839 0039d316-1c4b-4281-b951-d872f2087c98
|
| |
|
|
|
|
|
|
|
|
|
| |
code hard to understand (and possibly broken) otherwise, some versions of
GCC complain about the comparison without the cast.
TEST=none
BUG=none
Review URL: http://codereview.chromium.org/657034
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@39838 0039d316-1c4b-4281-b951-d872f2087c98
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
this means the calls will still be denied. But we now return a correct return
code.
But more importantly, this change brings the source code in line with the code
of the stand-alone opensource sandbox. Wherever possible, we try to keep both
code bases identical.
TEST=none
BUG=none
Review URL: http://codereview.chromium.org/657040
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@39837 0039d316-1c4b-4281-b951-d872f2087c98
|
| |
|
|
|
|
|
|
|
|
|
| |
temporary directory.
BUG=30926
TEST=tested with tmpfs, ext3 and NFS
Review URL: http://codereview.chromium.org/650177
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@39679 0039d316-1c4b-4281-b951-d872f2087c98
|
| |
|
|
|
|
|
|
|
| |
int and long are the same size on the platforms we care about,
but gcc doesn't like comparing int against LONG_MAX.
Review URL: http://codereview.chromium.org/604056
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@39071 0039d316-1c4b-4281-b951-d872f2087c98
|
| |
|
|
|
|
|
|
|
|
| |
This is needed for opening the renderer<->plugin channel.
TEST=flash works in seccomp mode
Review URL: http://codereview.chromium.org/563024
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@38037 0039d316-1c4b-4281-b951-d872f2087c98
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We were hitting a stack overflow on renderer startup, because of the following:
When we patch out syscalls, we need a scratch space near (within a 32-bit jump)
of the original code. We pick the scratch space as the end of the nearest empty
region available before the code we're patching. For the vdso region, the
stack lies directly before it and so the region we'd grab was directly before
the stack. This meant that as soon as the stack attempted to grow it'd fail
because it ran into our patch region, and we'd hit a stack overflow.
The fix is to specially note when we're near the stack region, and instead put
our scratch space as far away from the stack as possible.
Review URL: http://codereview.chromium.org/518071
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@35759 0039d316-1c4b-4281-b951-d872f2087c98
|
